7 Phrases Killing Our Industry (aka some Friday humor)

October 10th, 2014 No comments

So it’s Friday and the end of another work week for most.  It’s been another productive one here at Emagined.  However after some heads-down, hands-on technical work, I thought it’d be good to blog a light-hearted, tongue-in-cheek piece poking fun at our industry and the folks in it, such as me and my colleagues.  Security is often all too serious and sometimes stressful, so it’s nice to mix it up.

Again, this blog is written with affability, and not intended to offend.  Please do let us know your feedback and comments on the blog as always, but be forewarned, the piece was drafted in humor.  Best!  Read more…

Categories: Human Condition Tags:

To Ring or Not To Ring?

September 25th, 2014 No comments

So it’s been a few weeks since Def Con 2014 and I’m still impressed with the year-over-year draw in attendance for the Social Engineering CTF.  What started out a few years ago as a small “show and learn” regarding social engineering (aka hackers’ confidence game) and Corporate America’s general unpreparedness in the face of it, has blossomed into a busy hub of capture-the-flag comings and goings with few, if any, seats left available when a session is on-going.  And the sessions themselves?  Also better.  Perhaps it’s the practice and social maturity of the contestants, perhaps it’s the consistency and refinement from the contest organizers/sponsors, or perhaps it’s a bit of luck of the draw as some people “gush” after all, in any setting, especially those in certain organizations targeted every year for their information bounty.  Regardless, it got me thinking more about what I saw, what I’ve experienced in my own professional and personal life and where things are/might be headed.

First a quick diversion – a little bit about me to help set the stage about where I’m coming from in this blog perspective – I like ideas, especially when they’re still relatively new and not yet fads, especially those that pertain to the human condition, even the bad ideas.  So it was with phishing when most people *yawn*.  [Yeah, it’s still like that today. <smile>]  But I digress…. Read more…

Categories: Human Condition Tags:

What’s our Policy on That?

Companies of all sizes continue to struggle with information security policies or other rules designed to help protect their information. In 30 years of information security practice some issues come up time and time again that contribute to the problem of inadequate information security policies. While few would argue the need to have actual policies about information security, often that’s where agreement stops. The concept of having policies, defining policies and enforcing them is often more than a little controversial for many companies.

Most information security policies evolved out of the old familiar “do’s and don’ts” set of rules.  Often times the do’s and don’ts were the least controversial of policies and included such things as guidance on what not to say in an e-mail, how to handle confidential company information, what usage of the Internet is permissible, and so forth. Too often the do’s and don’ts policy was a clone of a year’s earlier article in an HR manager journal and has received almost no attention since then.  Companies often lack the resolve to use the do’s and don’ts policy as a basis for disciplinary measures of any kind, let alone as the basis for termination.  However, the one thing the do’s and don’ts policy did enable everyone to do was to righteously claim, “yes, Boss, we do have an information security policy.”

Read more…

RIM or Precipice

News of RIM’s apologies concerning the multiple-day outage of its services beginning Saturday morning October 8 illustrates a very important point. At the retail level it may be okay to remain silent or mumble about the circumstances of an outage (as my cell provider did in this case).  However, when dealing with enterprises which purchase services in mass quantities as part of a broader strategy of delivering services to their customers through a well-equipped employee base the reverse is true.  RIM had remained silent for five days about the details, causes – and most importantly – the estimates for remediation of this outage. This is inexcusable for anyone offering an enterprise class product. Read more…

The Changing Nature of Incident Response: Part 3

The ultimate test of the value of an incident response team is how that team handles crises. Crises are generally not everyday occurrences. In fact, most issues with which an incident response team must deal are not of a bona fide emergency nature. That is why from the very onset of computer incident response teams I have objected to any incident response team name that includes “emergency” or “crisis” in it, because these terms represent little more than massive embellishment of the true nature of most of their activities.

Read more…

Categories: Network Security Tags:

The Changing Nature of Incident Response: Part 2

Perhaps the biggest single step in the life cycle of an incident response team is going operational. The major problem with getting the Department of Energy’s incident response team operational was that there was nothing–no policies, no standards, and virtually no procedures concerning incident response at that time. The CERT/CC team claimed that it was operational at that time, but if that were true, there would have been some kind of indication that operations were taking place, and there was no indication whatsoever. One of the best ways that my management ever helped at that time was to inform me of other emergency response teams and to try to get me in touch with people who managed such efforts. One such team was the Nuclear Energy Search Team (NEST) at Lawrence Livermore National Laboratory. Discussions with the manager and some of the more senior staff members of this team helped me better understand the kind of procedures that would have to be performed, the kinds of communication that would have to occur, and how action priorities would have to be determined. Still, the nuclear arena is not all that closely aligned with the information security arena, and after I was finished meeting with NEST members I developed a kind of sinking feeling that there was much more to do than I had ever imagined. And at the time the team I managed consisted only of myself.

Read more…

Categories: Network Security Tags:

The Changing Nature of Incident Response: Part 1

I’ve been affiliated with incident response in one way or another since 1988. I am not saying this boastfully, as I’ve made many mistakes both in responding to incidents technically and in managing incident response efforts. At the same time, however, when I first entered the incident response arena, there were no policies, standards, and procedures, and not really any requirements, either, to guide incident response efforts. Everyone who played in this arena originally had to use a combination of intuition and learning from mistakes just to get by.

Read more…

Categories: Network Security Tags:

To Share or Not to Share, That Is the Question

The Obama Administration (and in particular the U.S. State Department) continues to take the heat for the massive leakage of U.S. government documents courtesy of WikiLeaks (and allegedly originally because of the actions of PFC Bradley Manning). The volume of vitriol directed at President Obama and Security of State Hillary Clinton is astounding; members of the information security community have contributed more than their fair share of it. How could the U.S. government, they say, have been so negligent regarding access control that even a lowly private in the U.S. Army could allegedly gain access to these documents?

Read more…

Categories: Network Security Tags: